<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Vulas Analysis Report</title>
<script type="text/javascript">
//<![CDATA[
function toggle(_btn, _div) {
	var elem = document.getElementById(_div);
	
	if(elem.style.display === 'none') {
		elem.style.display = 'block'
		_btn.innerHTML = "-";
	}
	else {
		elem.style.display = 'none'
		_btn.innerHTML = "+";
	}
}
//]]>
</script>
<style>

/* Tooltip from http://www.menucool.com/tooltip/css-tooltip# */
	a.tooltip {
		outline:none;
		color: black;
	}
	a.tooltip strong {line-height:30px;}
	a.tooltip:hover {text-decoration:none;} 
	a.tooltip span {
	    z-index:30;display:none; padding:14px 20px;
	    margin-top:-30px; margin-left:28px;
	    width:600px; line-height:16px;
	}
	a.tooltip:hover span{
	    display:inline; position:absolute; color:#111;
	    border:1px solid #DCA; background:#fffAF0;}
	.callout {z-index:20;position:absolute;top:30px;border:0;left:-12px;}
	    
	/*CSS3 extras*/
	a.tooltip span
	{
	    border-radius:4px;
	    box-shadow: 5px 5px 8px #CCC;
	}

/* Other styles */
	table {
	    border-collapse: collapse;
	}
	table, th, td {
	    border: 1px solid black;
	    padding: 10px;
	    vertical-align: text-top;
	}
	th {
		background-color: #DDDDDD;
	}
	td.descr {
		background-color: #DDDDDD;
		color: black;
		font-size: 75%;
	}
    td.above_threshold {
        background-color: #FF9999;
    }
	td.apps {
		padding: 0px;
	}
	h2.build_exception {
	    color: red;
	}
	h2.build_ok {
	    color: green;
	}
	a {
	    text-decoration: none;
	}
</style></head>
<body>

<img align="right" width="159" height="239" src=""/>


<h2>Vulas Analysis Report</h2>
<div>
	<p>Generated at: $generatedAt</p>
	<p>Generated for:</p>
	<table>
		<tr>
			<th>Space</th><th>GroupId</th><th>ArtifactId</th><th>Version</th>
		</tr>
		<tr>
			<td>$space.getSpaceToken()</td>
			<td>$app.getMvnGroup()</td>
			<td>$app.getArtifact()</td>
			<td>$app.getVersion()</td>
		</tr>
	</table>
	<p>Aggregated report: $isAggregated</p>
	#if($isAggregated)
		<p>Aggregated projects ($projects.size()):&nbsp;<a href="#" onClick="toggle(this, 'projects')">+</a></p>
		<div id="projects" style="display: none;">
			<table>
			<tr>
				<th>GroupId</th><th>ArtifactId</th><th>Version</th>
			</tr>
			#foreach( $prj in $projects)
			<tr>
				<td>$prj.getMvnGroup()</td>
				<td>$prj.getArtifact()</td>
				<td>$prj.getVersion()</td>
			</tr>
			#end
			</table>
		</div>
	#end
</div>

<h2>Plugin Configuration&nbsp;<a href="#" onClick="toggle(this, 'plugin_config')">+</a></h2>
<div id="plugin_config" style="display: none;">
	<table>
		<tr>
			<th>Parameter</th>
			<th>Actual Value</th>
			<th>Parameter Description</th>
		</tr>
		<tr>
			<td>exceptionThreshold</td>
			<td>$exceptionThreshold</td>
			<td>Specifies if and when the plugin will throw a build exception.<br/><br/>
			Possible values (default: dependsOn):
			<ul>
				<li>noException - no build exception will be thrown, regardless of the analysis results
				<li>dependsOn - an exception will be thrown if at least one application project depends on an archive with known vulnerabilities (typically by declaring a dependency in the POM file)
				<li>potentiallyExecutes* - an exception will be thrown if at least one  application project can potentially execute vulnerable code (according to static source code analysis).
				<li>actuallyExecutes* - an exception will be thrown if at least one application project actually executes vulnerable code during application tests.
			</ul>
			* Please consider <a href="https://sap.github.io/vulnerability-assessment-tool/user/manuals/assess_and_mitigate/#static-and-dynamic-analysis">this notice</a> when using those configuration options.  
			</td>
		</tr>
		<tr>
			<td>exceptionScopeBlacklist</td>
			<td>$exceptionScopeBlacklist</td>
			<td>List of scopes that will be ignored when deciding whether to throw a build exception<br/><br/>Possible values: compile, provided, runtime, test, system<br/>Default: [TEST, PROVIDED]</td>
		</tr>
		<tr>
			<td>exceptionExcludedBugs</td>
			<td>$exceptionExcludedBugs</td>
			<td>
				List of security vulnerabilities that will be ignored (exempted) when deciding whether to throw a build exception
				<br/><br/>Example: CVE-2014-0050
				<br/>Default: none
				#if( $obsoleteExemptionsHistorical || $obsoleteExemptionsSignatureNotPresent )
					<br/><br/>Obsolete exemptions (historical vulnerabilities): $obsoleteExemptionsHistorical
					<br/>Obsolete exemptions (signatures of vulnerable code not present): $obsoleteExemptionsSignatureNotPresent
				#end
			</td>
		</tr>
	</table>	
</div>

#if($thresholdMet)
<h2 class="build_ok">Analysis Result: Success&nbsp;<a href="#" id="resultBtn" onClick="toggle(this, 'result')">+</a></h2>
#else
<h2 class="build_exception">Analysis Result: Failure&nbsp;<a href="#" id="resultBtn" onClick="toggle(this, 'result')">-</a></a></h2>
#end
<div id="result" style="display: block;">
	<p>
	#if($thresholdMet)
		No critical dependencies on vulnerable archives have been found (critical according to the defined threshold of &quot;$exceptionThreshold&quot;), no build exception is thrown.</p>
	#else
		One or more critical dependencies on vulnerable archives have been found (critical according to the defined threshold of <b>$exceptionThreshold</b>, and considering the excluded scopes and bugs).
		Accordingly, a build exception is thrown in order to break the current build process.
		Those application projects in whose context the exception threshold is violated are highlighted in red font. Please correct those dependencies in order to avoid the build exception.
	#end
	</p>
	<p>
		The following table shows all archives (column #1) that are subject to a known vulnerability (column #2).
		Columns #3-5 list Maven application projects that have a dependency on the respective archive, click on them to see more details in the Vulas Web Frontend.
	</p>
	<p>
		#if($isAggregated)
			Since this is an aggregated report, the application projects listed in the table are submodules of the project for which the report was created.
		#else
			Since this a non-aggregated report, the application project listed in the table is identical to the project for which the report was created.
		#end
	</p>
	<p>
		Note that historical vulnerabilities, i.e., cases in which a previous than the used release of a library was
		vulnerable are skipped in this report. You can still see them in the Vulas Web frontend.
	</p>
	
	<table border="1">
		<tr>
			<th rowspan="2">Archive Filename (SHA1)</th><th rowspan="2">Vulnerability (CVSS Score)</th><th>Applications including
			vulnerable code</th><th>Applications potentially executing vulnerable code</th><th>Applications actually
			executing vulnerable code</th>
		</tr>
		<tr>
			<td class="descr">Applications listed here:<br/>depend on a vulnerable release of the respective archive
				(directly or transitively)</td>
			<td class="descr">Applications listed here:<br/>potentially execute vulnerable code of the respective
				archive (according to static source code analysis)</td>
			<td class="descr">Applications listed here:<br/>actually execute Vulnerable code of the respective
				archive during application tests (JUnit or integration)</td>
		</tr>
		#foreach( $vul in $vulnsToReport )
			<tr>		
				
				#if( $vul.hasFindingsAboveThreshold() )
					<td class="above_threshold"><b>$vul.filename</b><br/>$vul.archiveid</td>
					<td class="above_threshold">
						#if( $vul.bug.getReference().isEmpty() )
							<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$vul.bug.getBugId()" target="_blank">$vul.bug.getBugId()</a><br/>$vul.bug.getCvssDisplayString()
						#else			
							<a href="$vul.bug.getReference().iterator().next()" target="_blank">$vul.bug.getBugId()</a><br/>$vul.bug.getCvssDisplayString()
						#end
					</td>
				#else
					<td><b>$vul.filename</b><br/>$vul.archiveid</td>
					<td>
						#if( $vul.bug.getReference().isEmpty() )
							<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$vul.bug.getBugId()" target="_blank">$vul.bug.getBugId()</a><br/>$vul.bug.getCvssDisplayString()
						#else
							<a href="$vul.bug.getReference().iterator().next()" target="_blank">$vul.bug.getBugId()</a><br/>$vul.bug.getCvssDisplayString()
						#end
					</td>
				#end
				
				<td class="apps">
				
					<ul>
					#foreach( $analysis in $vul.analyses )
							<li>
								<a href="$vulas-backend-serviceUrl/../apps/#/$space.getSpaceToken()/$analysis.getApp().getMvnGroup()/$analysis.getApp().getArtifact()/$analysis.getApp().getVersion()"
									#if($exceptionThreshold=='dependsOn' && $analysis.isThrowsException())
										style="color: red; font-weight: bold;"
									#elseif($exceptionThreshold=='dependsOn' && $analysis.isThrowsExceptionExcluded())
										style="color: darkgrey; font-weight: bold;"
									#end
									class="tooltip" target="_blank">
									$analysis.getApp().getArtifact()
									<span>
										<strong>$analysis.getApp().getMvnGroup() : $analysis.getApp().getArtifact() : $analysis.getApp().getVersion()</strong><br/>
										Scope: $analysis.getDep().getScope()<br/>
										Transitive dependency: $analysis.getDep().getTransitive()
										#if( $exceptionThreshold=='dependsOn' && $analysis.isThrowsExceptionExcluded() )
											<br/>A build exception for this finding was suppressed according to the goal configuration
										#end
									</span>
								</a>
								#if( $analysis.isAffectedVersion() && $analysis.isAffectedVersionConfirmed() )
									<a href="#" class="tooltip">
										<img width="15px" align="center" src=""/>
										<span>The application uses a library version with vulnerable code</span>
									</a>
								#elseif( $analysis.isNoneAffectedVersion() )
									<a href="#" class="tooltip">
										<img width="15px" align="center" src=""/>
										<span>Historical vulnerability: The application uses a library version with non-vulnerable code</span>
									</a>
								#elseif( !$analysis.isAffectedVersionConfirmed() )
									<a href="#" class="tooltip">
										<img width="15px" align="center" src=""/>
										<span>It could not automatically be determined  whether &quot;$vul.filename&quot; is indeed a vulnerable release, please get back to the Vulas team to have this case checked</span>
									</a>
								#end
								<!-- $analysis.getAffectedVersionSourceAsString() -->
							</li>
					#end
					</ul>
				</td>
				
				<td class="apps">
				
					<ul>
					#foreach( $analysis in $vul.analyses )
						#if( !$analysis.isNoneAffectedVersion())
							<li>
								<a href="$vulas-backend-serviceUrl/../apps/#/$space.getSpaceToken()/$analysis.getApp().getMvnGroup()/$analysis.getApp().getArtifact()/$analysis.getApp().getVersion()"
									#if( $exceptionThreshold=='potentiallyExecutes' && $analysis.isThrowsException())
										style="color: red; font-weight: bold;"
									#elseif($exceptionThreshold=='potentiallyExecutes' && $analysis.isThrowsExceptionExcluded())
										style="color: darkgrey; font-weight: bold;"
									#end
									class="tooltip" target="_blank">
									$analysis.getApp().getArtifact()
									<span>
										<strong>$analysis.getApp().getMvnGroup() : $analysis.getApp().getArtifact() : $analysis.getApp().getVersion()</strong><br/>
										Scope: $analysis.getDep().getScope()<br/>
										Transitive dependency: $analysis.getDep().getTransitive()
										#if( $exceptionThreshold=='potentiallyExecutes' && $analysis.isThrowsExceptionExcluded() )
											<br/>A build exception for this finding was suppressed according to the goal configuration
										#end
									</span>
								</a>
								#if( $analysis.isReachable() )
									<a href="#" class="tooltip">
										<img width="15px" align="center" src=""/>
										<span>Vulnerable library code is potentially reachable</span>
									</a>
								#elseif( $analysis.isNotReachable() )
									<a href="#" class="tooltip">
										<img width="15px" align="center" src=""/>
										<span>Non-vulnerable library is potentially reachable</span>
									</a>
								#elseif( !$analysis.isReachableConfirmed() )
									<a href="#" class="tooltip">
										<img width="15px" align="center" src=""/>
										<span>No library code reachable or reachability analysis not performed</span>
									</a>
								#end
							</li>
						#end
					#end
					</ul>
				</td>
				
				<td class="apps">
				
					<ul>
					#foreach( $analysis in $vul.analyses )
						#if( !$analysis.isNoneAffectedVersion())
							<li>
								<a href="$vulas-backend-serviceUrl/../apps/#/$space.getSpaceToken()/$analysis.getApp().getMvnGroup()/$analysis.getApp().getArtifact()/$analysis.getApp().getVersion()"
									#if( $exceptionThreshold=='actuallyExecutes' && $analysis.isThrowsException())
										style="color: red; font-weight: bold;"
									#elseif($exceptionThreshold=='actuallyExecutes' && $analysis.isThrowsExceptionExcluded())
										style="color: darkgrey; font-weight: bold;"
									#end
									class="tooltip" target="_blank">
									$analysis.getApp().getArtifact()
									<span>
										<strong>$analysis.getApp().getMvnGroup() : $analysis.getApp().getArtifact() : $analysis.getApp().getVersion()</strong><br/>
										Scope: $analysis.getDep().getScope()<br/>
										Transitive dependency: $analysis.getDep().getTransitive()
										#if( $exceptionThreshold=='actuallyExecutes' && $analysis.isThrowsExceptionExcluded() )
											<br/>A build exception for this finding was suppressed according to the goal configuration
										#end
									</span>
								</a>
								#if( $analysis.isTraced() )
									<a href="#" class="tooltip">
										<img width="15px" align="center" src=""/>
										<span>Vulnerable library code executed during tests
										<!-- <br/>
										When: $analysis.datetime-->
                                        </span>
									</a>
								#elseif( $analysis.isNotTraced() )
									<a href="#" class="tooltip">
										<img width="15px" align="center" src=""/>
										<span>Non-vulnerable library code executed during tests</span>
									</a>
								#elseif( !$analysis.isTracedConfirmed() )
									<a href="#" class="tooltip">
										<img width="15px" align="center" src=""/>
										<span>No library code executed or no tests have been performed</span>
									</a>
								#end
							</li>
						#end
					#end
					</ul>
				</td>	
			</tr>
		#end
	</table>
</div>

<h2>Contact&nbsp;<a href="#" onClick="return toggle(this, 'contact');">+</a></h2>
<div id="contact" style="display: none;">
	<ul>
		<li><a href="$vulas-backend-serviceUrl/../apps/" target="_blank">Vulas Web Frontend</a>: The frontend of the central Vulas engine (with which the Maven plugin communicates during execution)</li>
		<li><a href="$vulas-shared-homepage" target="_blank">Vulas Wiki</a>: General end user and background information</li>
		<li><a href="mailto:DL VULAS">mailto: DL VULAS</a>: Get assistance from and provide feedback to the Vulas development team</li>
	</ul>
</div>
</body>
</html>